I have a Canvas application that allows the user to first see what it's all about, and then asks for permissions only if he wishes to perform certain actions.

When the user enters the application it starts without requiring permissions. We provide a "Login" link which will make a request to

https://www.facebook.com/dialog/oauth/authorize?client_id=XXX&redirect_uri=http://myapp.com&scope=publish_stream

This causes the Facebook logo to appear with a link that says "Go To Facebook.com". I understand that there are cross-frame problems that causes this, and can be fixed by simply putting target=_top onto the link (or playing around with Javascript). For now, I want to keep things simple so I don't use this. I do notice that this is in a iframe_canvas which is good, so I click on that link and get to "Request for Permission" which takes over the screen (didn't this use to be a popup?) and the iframe_canvas seems to have gone away, and I now have UIFullPage_Container.

I click Allow and Facebook redirects the browser to

http://myapp.com&code=XXXXXXX

This is bad because my "Canvas" application has broken out of the canvas and taken over the whole browser.

Is there something I'm doing wrong, or is this some type of Facebook bug? Do I simply redirect this back to http://apps.facebook.com/mycanvasapp, and if so is there some way to pass some parms?

Just redirect them to https://apps.facebook.com/yourcanvasapp/whateveryouwant?here=isokay. The part after yourcanvasapp/ is sent to your server. You'll get the signed_request as a post arg, and the other params and path in the query string.

In other words, if your secure canvas URL is https://myapp.com/fbapp/, and you send the user to https://apps.facebook.com/mycanvasapp/foo?bar=baz, Facebook will send a POST to https://myapp.com/fbapp/foo?bar=baz and signed_request in the POST-data.

Maybe I'm missing something here, but how is not using target=_top keeping things simpler? It is actually what Facebook is forcing you to do anyway by displaying the "Go to Facebook.com" link; it's implementing a top-level redirect because it's necessary for it to display the permissions dialog page. So why not just do it yourself and save the user a potentially confusing intermediate step?

As far as getting back into the iframe, it would probably be easier to use apps.facebook.com/yourapp/somepage as your redirect_uri and that way it will go directly back into "app" mode.